Connecting Agents to the Privilege Manager Server via Group Policy

Regardless of how you installed agents or rolled agents out to your network, Privilege Manager has a method to link those agents with Servers. Privilege Manager has templates (files) that enable you to point agents back to the Privilege Manager Server.

To perform this task, do the following steps:

  1. Download the attached PrivilegeManagerAgent.admx and PrivilegeManagerAgent.adml zip folders and extract the corresponding files (one file from each zip folder).

  2. Install the downloaded and extracted custom Privilege Manager Group Policy files either on a single machine or on a domain controller.

    • To install on a single machine:
      1. Copy PrivilegeManagerAgent.admx to %systemroot%\PolicyDefinitions
      2. Copy PrivilegeManagerAgent.adml to %systemroot%\PolicyDefinitions\en-US
    • To install on a Domain Controller effectively making the custom GPO available to all Domain Administrators:
      1. Copy PrivilegeManagerAgent.admx to %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions
      2. Copy PrivilegeManagerAgent.adml to %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\en-US

  3. From the Group Policy Management Editor, navigate to Policies.

  4. Go to Administrative Templates > Privilege Manager > Agents > Privilege Manager Agent and click Connected Server.

    Local Group Policy Editor

  5. In the Connected Server window click Enabled.

  6. In the Server field, enter the URL for your Privilege Manager Server, click OK.

  7. Now you need to copy some data from Privilege Manager. In Privilege Manager, navigate to Admin | Agents | Installation Codes tab.

    Agent Installation Codes Copy

  8. Copy the Code value by clicking Copy.

  9. Switch back to the Group Policy Editor, in the Privilege Manager Agent window, click Install Code.

    Agent Installation Codes Paste

    1. In the Install Code window, click Enabled.
    2. In the Install Code field, paste the Code value you copied from Installation Codes tab in Privilege Manager.
    3. Click OK.

  10. Set the Client Item Signature Validation. By default, Privilege Manager validates only client items that have a signature present. If you want to require that all client items have a valid signature, then configure the group policy settings to enforce the Require Signed Client Items setting.

Un-Installing Old Templates

If you had previously downloaded and installed files which had the names "AMSAgent.admx" and "AMSAgent.adml", these should be removed. Do so as follows:

  • To un-install from a single machine:

    1. Delete AMSAgent.admx from %systemroot%\PolicyDefinitions
    2. Delete AMSAgent.adml from %systemroot%\PolicyDefinitions\en-US

  • To un-install from a Domain Controller:

    1. Delete AMSAgent.admx from %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions
    2. Delete AMSAgent.adml from %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\en-US